diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 55bbc14f9..327c30a24 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -18,7 +18,7 @@ env:
 
 jobs:
   CI:
-    runs-on: [self-hosted,prod-cicd-runners]
+    runs-on: [prod-cicd-runners]
     steps:
     - uses: actions/checkout@v3
     # - uses: actions/setup-go@v3
diff --git a/crypto/crypto.go b/crypto/crypto.go
index 88c44d0e2..cb09c5b1c 100644
--- a/crypto/crypto.go
+++ b/crypto/crypto.go
@@ -39,7 +39,7 @@ import (
 	"golang.org/x/crypto/sha3"
 )
 
-//SignatureLength indicates the byte length required to carry a signature with recovery id.
+// SignatureLength indicates the byte length required to carry a signature with recovery id.
 const SignatureLength = 64 + 1 // 64 bytes ECDSA signature + 1 byte recovery id
 
 // RecoveryIDOffset points to the byte offset within the signature that contains the recovery id.
@@ -204,6 +204,9 @@ func UnmarshalPubkey(pub []byte) (*ecdsa.PublicKey, error) {
 	if x == nil {
 		return nil, errInvalidPubkey
 	}
+	if !S256().IsOnCurve(x, y) {
+		return nil, errInvalidPubkey
+	}
 	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil
 }